Dynamics 365 Business Central: thecontextSensitiveHelpUrl parameter and malicious urls

This is a very quick post for signaling a potential problem when you distribute your apps (per-tenant extensions) to your customers without carefully checking your app.json file.

When you create an extension with the AL:Go! command, the skelethon of your extension’s project is created and if it’s your first project the default name of your extension is set to ALProject1.

This is the auto-generated app.json file in this case:

What happens here? The contextSensitiveHelpUrl parameter (that defines the base help URL for objects defined in this extension) redirects to ALProject1.com website, that actually it’s a registered external website that potentially can also be malicious. If the user clicks on the Help button on your extension information’s details, it will be redirected to this website.

Be aware of that! Please always change the default contextSensitiveHelpUrl parameter of EVERY extension you have and use a correct value (redirect to your company’s website for example). NEVER leave the default values. At the moment only ALProject1.com is registered as an external website, but nothing prevent someone to register other domains like this and act malicious things.

P.S. Microsoft is now alerted on this. As default, the standard app.json template should not provide any value for this field in my opinion. Probably this will be the solution that Microsoft will adopt in a next AL language update.

Comment List